from the Barbie-needs-a-better-firewall dept

Year after year, we're installing millions upon millions of "internet of things" devices on home and business networks that have only a fleeting regard for security or privacy. The width and depth of manufacturer incompetence on display can't be understated. Thermostats that prevent you from actually heating your home. Smart door locks that make you less secure. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death.

The list goes on and on, and it grows exponentially by the week, especially as such devices are quickly compromised and integrated into massive new botnets. And as several security experts have noted, nobody in this chain of dysfunction has the slightest interest in doing much about this massive rise in "invisible pollution":

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

One core part of the problem is that IOT device makers refuse to provide much control or transparency over what their internet-connected devices actually do once online. Often the tools and device interfaces provided to the end user are comically simple, providing you with virtually no data on how much bandwidth your devices are consuming, or what data they're transferring back to the cloud (frequently unencrypted). As a result, many normal people are participating in historically massive DDOS attacks or having their every behavior monitored without having the slightest idea it's actually occurring.

To that end Princeton's computer science department has launched a research program called the IOT Inspector they hope will provide users with a little more insight into what IOT devices are actually up to. The researchers behind the project say they spent some time analyzing fifty different common IOT devices, and like previous studies found that security and privacy in these devices was a total shitshow. Sending private user data unencrypted back to the cloud was common:

Unfortunately, many of the devices we have examined lack even these basic security or privacy features. For example, the Withings Smart Blood Pressure Monitor included the brand of the device and the string “blood pressure” in unencrypted HTTP GET request headers. This allows a network eavesdropper to (1) learn that someone in a household owns a blood pressure monitor and (2) determine how frequently the monitor is used based on the frequency of requests. It would be simple to hide this information with SSL."

As were devices that immediately began chatting with all manner of partner services whether the user wants them to or not:

Samsung Smart TV: During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.

Again, user control and transparency is almost always an afterthought. Obviously, the creation of some unified standards is one solution. As is creating routers and hardware that alert users to when their devices have been compromised. Smarter networks and hardware are going to need to be a cornerstone of any proposed solution, the researchers note:

We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms.

Of course better standards are going to need to be built on the backs of a joint collaboration between governments, companies, consumers and researchers. And while we've seen mixed results on that front so far, efforts like this (and the Consumer Reports' open source attempt to make privacy and security an integral part of product reviews) are definitely a step in the right direction.

Reader Comments

The only way you'll get standards adopted or security taken seriously will be when it hurts in the pockets. We can make it hurt now via regulations or we can wait until it hurts later because it will get out of control pretty badly. That's the choice we need to do now. I have this feeling it will not involve preemption.

Re: Re:

If so many cars can be broken into (notably Audis and Volkswagens added to that list recently), why is this not being looked at more seriously?

I have hope for this market, unlike the general IOT market. Cars and their contents are usually insured, and the insurers will eventually catch on and demand better security (and demand higher rates for insecure vehicles). Home insurers may similarly push for improvements in "smart" door locks etc.

With baby monitors, blood pressure monitors, ..., the owners of those devices will never have any reason to file an insurance claim because of manufacturer negligence. "Regular" people have no insurance against DDOS etc., and the companies who have this insurance are unlikely to have baby monitors. So there's no incentive.

Insecure Device Internet Of Things, was Re: Remember the Prefix

"Unfortunately, many of the devices we have examined lack even these basic security or privacy features. For example, the Withings Smart Blood Pressure Monitor included the brand of the device and the string “blood pressure” in unencrypted HTTP GET request headers. This allows a network eavesdropper to (1) learn that someone in a household owns a blood pressure monitor and (2) determine how frequently the monitor is used based on the frequency of requests. It would be simple to hide this information with SSL.""

Unfortunately just sending this over an SSL won't fix that problem either. It's just security theater in this case. The reason being none of these devices are going to be using encrypted DNS either, or if someone's really on the ball, simply tracking IP addresses for the requests. Privacy is a tough nut to crack and requires layers rather than one silver bullet fixes everything (usually encryption is the one trotted out by the unwashed).

"We are experimenting with machine learning-based DDoS detection using features using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets). Preliminary results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks with high accuracy using low-cost machine learning algorithms."

More hand wavingly vague goals with a few buzzwords to dazzle the press in their press release. The only way to fix this problem entirely is to make the people that have these devices responsible for any damage they create with reasonable responses and (mandantory) education once a problem has been identified. You also hold manufacturers legally responsible for any negligence on their part for privacy leaks and negligent software upkeep (proper firmware updates).

This is no different than licensing any other use case where use of a community resource carries dangers to the general public: automobiles, radio frequency use, public park use permits, large structure construction permits, parking permits, etc. If you want to use the Internet then you need to prove you can do it and not be a danger to everyone else on it.

I refuse to use any IoT devices. I'm a growing Homekit house which is secure and all Encrypted. If you're an Android user, you're not going to be using Homekit. There's few IoT devices you can trust. In this day and age to release such a poor standard as IoT devices, have no excuse.

The article seems to define "security" as ensuring that the devicedoes no harm to Brian Krebs. I think we need a stronger definition:ensuring that the device does no harm to the person using it. Forinstance, it must not be able to collect the user's personal data onbehalf of anyone else, such as the manufacturer.